1. Double spends aren't possible, with Replace-by-fee or without it. And it doesn't have much to do with scaling really. If you are the receiver of any BTC transaction (RBF or not), wait for it to be confirmed in a block before you consider the money to be safely yours.
2. Mitigations and solutions are/will be available for Flood & Loot, really all the major Lightning node implementations already had mitigations in place, as the basis of this attack was discovered around 1 year ago by Lightning developer Rene Pickhardt (the authors of the Flood & Loot paper describe a variant of the attack that Rene discovered)
Don't know anything about the Liquid vuln, but it's slightly irrelevant in the long term if exchanges simply use Lightning channels instead (Liquid was available before Lightning, and is designed to provide BTC liquidity to cryptocurrency exchanges by allowing them to exchange BTC faster than the on-chain Bitcoin network can)
It's not really much of a bad sign IMO:
- dev finds vulnerabilty
- discloses responsibly to other devs
- mitigations written and implemented
- 1 year later, someone else figures it out and publishes details